CN1731355A - Harddisk main bootsector program virus defense method - Google Patents
Harddisk main bootsector program virus defense method Download PDFInfo
- Publication number
- CN1731355A CN1731355A CN 200510019297 CN200510019297A CN1731355A CN 1731355 A CN1731355 A CN 1731355A CN 200510019297 CN200510019297 CN 200510019297 CN 200510019297 A CN200510019297 A CN 200510019297A CN 1731355 A CN1731355 A CN 1731355A
- Authority
- CN
- China
- Prior art keywords
- program
- hard disk
- main
- virus
- bootstrap program
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Abstract
The invention discloses a hard disk main guiding area program virus defensive method which comprises the following steps: (1) preserving the non virus hard disk main guiding area program on the BIOS ROM of the computer system; (2) opening the computer system and calling INT 19H service program to read the hard disk main guiding area program into internal memory after electric self-detecting and initial of the BIOS, the main guiding content comprises the main guiding program; (3) calling the hard disk main guiding area program of the BIOS ROM to cover the main guiding program of the internal memory; (4) processing the covered main guiding program by the computer system.
Description
Technical field
The present invention relates to the computer virus precaution field, especially the defence method of harddisk main bootsector program virus.
Background technology
Along with extensively popularizing of computer technology and technique of internet used, more and more multiple easy propagation and the computer virus that works the mischief occur, become the serious day by day reality of human normal life and threaten, computer circle has to constantly develop anti-virus software to deal with this situation.As the topmost memory device of computing machine, the control of the safety of hard disk is particularly important.1 sector, 00 road of hard disk is called as master boot sector, in main bootstrap program and partition table are arranged, main bootstrap program is responsible for searching the activation subregion, first sector of this subregion is DOS (disc operating system (DOS)) boot sector.The zone of hard disk infective virus appears at the main bootstrap program of Master boot sector mostly, and the virus of main bootstrap program often makes hard disk abnormal occurrence occur in bootup process, can't normal load operating system, even damage Master boot sector.In the prior art, the main mode of handling virus is after operating system, loads anti-viral software detecting virus and points out the user to handle, if main bootstrap program virus damages the hard disk boot section, may can't enter operating system at all.More seriously, the prevention and cure of viruses of anti-viral software is based upon on the basis of understanding virus characteristic, can not accomplish in time to prevent and treat completely for the virus after emerging virus or the mutation.If anti-viral software can not be handled virus, the Master boot sector that can only repair hard disk by FDISK (partition programs) even low-level formatting at last, catastrophic effect such as can cause that hard disc data is lost is even the computer user installs the anxiety that anti-viral software also has safety.As seen the existing anti-viral method mode of action is passive, can not be protected hard disk safely and effectively.How solving harddisk main bootsector program virus, is the important topic to be solved of killing at present.
Summary of the invention
The purpose of this invention is to provide the defence method of harddisk main bootsector program virus safely and effectively.
For achieving the above object, the invention provides a kind of defence method of harddisk main bootsector program virus, may further comprise the steps: (1) preserves virus-free hard disk main bootstrap program in the BIOS of computer system ROM; (2) start computer system, BIOS calls INT 19H bootstrap routine the Master boot sector content of hard disk is read in internal memory after power-on self-test and initialization are finished, and the Master boot sector content comprises main bootstrap program; (3) call the hard disk main bootstrap program of preserving among the BIOS ROM, the main bootstrap program in the covering memory; (4) computer system is carried out the main bootstrap program after covering in the internal memory.
And the hard disk main bootstrap program of preserving among the described BIOS ROM is the binary file that is partly saved as by the main bootstrap program in the Master boot sector content of virus-free hard disk, is solidificated among the BIOS ROM for repeatedly reading.
After self check and initialization are finished in the existing computer system startup, call the INT19H interrupt service routine, carry out its main bootstrap program pilot operationp system then, and the present invention is by calling amended INT19H interrupt service routine, after the hard disk master boot sector content is read in internal memory, use the main bootstrap program content in the prior nontoxic main bootstrap program covering memory of storing of white space among the BIOS ROM, so no matter whether the main bootstrap program of the Master boot sector of current hard disk contaminates, what carry out is the nontoxic main bootstrap program that solidifies among the BIOS ROM, thereby reaches the purpose of isolation hard disk main bootstrap program virus.Scheme provided by the invention is simple and easy to do, is beneficial to popularization, can effectively be prevented the great harm that hard disk main bootstrap program virus is brought by the start-up routine of computer system self.
Description of drawings
Fig. 1 is an embodiment of the invention synoptic diagram.
Embodiment
Referring to Fig. 1, the invention provides a kind of defence method, may further comprise the steps: (1) preserves virus-free hard disk main bootstrap program in the BIOS of computer system ROM; (2) start computer system, BIOS calls INT 19H bootstrap routine the Master boot sector content of hard disk is read in internal memory after power-on self-test and initialization are finished, and the Master boot sector content comprises main bootstrap program; (3) call the hard disk main bootstrap program of preserving among the BIOS ROM, the main bootstrap program in the covering memory; (4) computer system is carried out the main bootstrap program after covering in the internal memory.
The BIOS ROM that the present invention is alleged, promptly be the ROM (read-only memory) of preserving basic input output system of computer, wherein preserve the most important basic input/output procedure of computer system, system information setting, startup power on self detection program and system start-up bootstrap routine.BIOS also provides interrupt service routine, finish the transmission of data between various hardware interface device and the CPU, it is that computing machine is soft, a programmable interface between the hardware, is the software of the bottom in the computing machine, and spreading out of being used for that program software function and microcomputer hardware realize connects.
After the computer user carried out the FDISK program, just set up subregion in 1 sector, 00 road (or cylinder) of hard disk, or claimed Master boot sector.This sector comprises main bootstrap program, hard disk partition table and guides three parts of legal sign.The length of main bootstrap program is 240 bytes, is positioned at the zone that side-play amount is 0-0EFH, is mainly used in the guiding of hard disk.Thereafter 206 bytes are not used.From 64 bytes of side-play amount 1BEH-1FDH is the disk partition table, is used to describe the subregion situation of hard disk.These 64 bytes are divided into 4 entrys, and each entry is 16 bytes, register the information relevant with each subregion.Side-play amount is that two bytes of 1FEH and 1FFH are 55H and AAH, as the legal sign of subregion, is the effective marker of leader record.The front of Master boot sector is a main bootstrap program, and it does not belong to any one subregion, does not also belong to any one operating system, and it is the common ground of each operating system.If from the hard disk startup system, the ROMBIOS program on the system board can be read internal memory 0:7C00H place to the hard disk first sector content, and carries out from here.The main operation of main bootstrap program is a boot flag of checking 4 subregions in the partition table, when the boot flag of a certain subregion is 80H, main bootstrap program is just again the 0:7C00H place that reads into memory, first sector of this subregion, and from then on begins to carry out, and actual is the boot of this subregion of execution.Therefore for different system disks, the main bootstrap program in its Master boot sector is similar, but the work of being finished is identical, and difference is the hard disk partition table of Master boot sector.
The present invention at first needs a clean hard disk main bootstrap program so that be kept among the BIOS ROM standby.In the specific implementation, can seek a clean nontoxic hard disk, read 512 bytes of its Master boot sector, it is standby that the preceding 0-0EFH byte of these 512 bytes is saved as a binary file, is referred to herein as the boot.rom file.
The specific embodiment of the invention has been revised the INT 19H interrupt service routine in the bios program.In the prior art, computer system powers up, after BIOS is responsible for finishing self check and initialization, call INT 19H interrupt service routine again, the INT19H interrupt service routine is responsible for seeking guiding device, and the Master boot sector of guiding device read RAM (internal memory) 0:7C00H place, program then begins execution, pilot operationp system from 0:7C00H.And by the present invention's design, INT 19H program is after reading in the 0:7C00H place of internal memory with the Master boot sector of current hard disk, the boot.rom document copying that somewhere among the BIOS ROM is deposited is to the 0:7C00H place, cover the main bootstrap program that read in originally among the RAM with it, continue the original task of INT 19H subsequently, program far jumps to the 0:7C00H place and begins to carry out, beginning pilot operationp system.
Nontoxic in order to guarantee to start the used main bootstrap program of hard disk, the hard disk main bootstrap program of preserving among the described BIOS ROM, be the binary file that partly saves as by the main bootstrap program in the Master boot sector content of virus-free hard disk, be solidificated among the BIOS RAM for repeatedly reading.During concrete enforcement, amended bios program can be solidificated among the ROM by presumptive address with boot.rom.In various rom chips, Flash ROM/Flash EEPROM is present modal erasable ROM, is widely used in the BIOS storage, and its basis that is embodied in of the present invention is gone up convenient.
The invention provides and adopt this virus defense method workflow in the specific implementation: carry out step 01 start; Carry out step 02 behind system boot, system carries out power-on self-test and surveys and initialization, i.e. POST (PowerOn Self Test); If power-on self-test is surveyed and initialization is normally finished, promptly carry out step 03 and call INT 19H break in service, with the Master boot sector of guiding device, 0 section 7C00H that RAM is read in 1 sector, 00 road (or cylinder) that is about to hard disk or floppy disk begins the place; Whether the sector that interpretation is gone in the step 04 is boot sector, be whether end, sector bit flag is 055AAH, the result has not judged whether next guiding device for just carrying out step 05, carry out step 03 if return, read the Master boot sector of next guiding device again, then do not carry out step 06 and call interrupt routine INT 18H, prompting needs one to start floppy disk; If the judged result of step 04 is for being, then proceed step 07 and judge whether that floppy drive is (because the boot section structure of floppy disk and hard disk is different, the present invention only defends hard disk boot virus, in order to prevent to make mistakes, described INT19H interrupt service routine comprises that is judged a checking procedure, judge whether this guiding device is floppy drive), it or not floppy drive, expression is a hard disk, then carry out step 08 the clean main bootstrap program of 240 bytes that solidifies among the ROM is read in internal memory 0:7C00H place, carrying out step 09 then and far turn to 0:7C00H and begin to carry out main bootstrap program, is then direct execution in step 09 of floppy drive.During execution in step 09, computer control power is given main bootstrap program, beginning pilot operationp system.Warm start is identical with the cold start-up situation.
Claims (2)
1. the defence method of a harddisk main bootsector program virus is characterized in that: may further comprise the steps,
(1) in the BIOS of computer system ROM, preserves virus-free hard disk main bootstrap program;
(2) start computer system, BIOS calls INT 19H bootstrap routine the Master boot sector content of hard disk is read in internal memory after power-on self-test and initialization are finished, and the Master boot sector content comprises main bootstrap program;
(3) call the hard disk main bootstrap program of preserving among the BIOS ROM, the main bootstrap program in the covering memory;
(4) computer system is carried out the main bootstrap program after covering in the internal memory.
2. the defence method of harddisk main bootsector program virus as claimed in claim 1, it is characterized in that: the hard disk main bootstrap program of preserving among the described BIOS ROM, be the binary file that partly saves as by the main bootstrap program in the Master boot sector content of virus-free hard disk, be solidificated among the BIOS ROM for repeatedly reading.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2005100192977A CN100362471C (en) | 2005-08-16 | 2005-08-16 | Harddisk main bootsector program virus defense method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2005100192977A CN100362471C (en) | 2005-08-16 | 2005-08-16 | Harddisk main bootsector program virus defense method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1731355A true CN1731355A (en) | 2006-02-08 |
| CN100362471C CN100362471C (en) | 2008-01-16 |
Family
ID=35963716
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB2005100192977A Expired - Fee Related CN100362471C (en) | 2005-08-16 | 2005-08-16 | Harddisk main bootsector program virus defense method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN100362471C (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102985929A (en) * | 2010-05-11 | 2013-03-20 | 杉中顺子 | External boot device, external boot program, external boot method and network communication system |
| CN103955649A (en) * | 2014-05-23 | 2014-07-30 | 四川九成信息技术有限公司 | Method for safely starting terminal equipment |
| CN104751082A (en) * | 2013-12-30 | 2015-07-01 | 研祥智能科技股份有限公司 | Operating system and data security control method and operating system and data security control device |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO1992021087A1 (en) * | 1991-05-13 | 1992-11-26 | Hill, William, Stanley | Method and apparatus for preventing 'disease' damage in computer systems |
| CN1104354A (en) * | 1993-12-20 | 1995-06-28 | 北京市三佳网络系统工程公司 | Virus-proof method for universal network |
| CN1258885A (en) * | 1998-12-28 | 2000-07-05 | 神达电脑股份有限公司 | Computer system capable of detecting turnon virus |
-
2005
- 2005-08-16 CN CNB2005100192977A patent/CN100362471C/en not_active Expired - Fee Related
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102985929A (en) * | 2010-05-11 | 2013-03-20 | 杉中顺子 | External boot device, external boot program, external boot method and network communication system |
| CN104751082A (en) * | 2013-12-30 | 2015-07-01 | 研祥智能科技股份有限公司 | Operating system and data security control method and operating system and data security control device |
| CN104751082B (en) * | 2013-12-30 | 2019-02-05 | 研祥智能科技股份有限公司 | Operating system and data security control method and device |
| CN103955649A (en) * | 2014-05-23 | 2014-07-30 | 四川九成信息技术有限公司 | Method for safely starting terminal equipment |
| CN103955649B (en) * | 2014-05-23 | 2017-03-08 | 南方电网科学研究院有限责任公司 | A kind of method of clean boot terminal unit |
Also Published As
| Publication number | Publication date |
|---|---|
| CN100362471C (en) | 2008-01-16 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107808094B (en) | System and method for detecting malicious code in a file | |
| US9158941B2 (en) | Managing access to content in a data processing apparatus | |
| US6925557B2 (en) | Method and system for a clean system booting process | |
| KR102189296B1 (en) | Event filtering for virtual machine security applications | |
| US7971258B1 (en) | Methods and arrangement for efficiently detecting and removing malware | |
| CN106991324B (en) | Malicious code tracking and identifying method based on memory protection type monitoring | |
| US20120017276A1 (en) | System and method of identifying and removing malware on a computer system | |
| KR101174751B1 (en) | Malware auto-analysis system and method using kernel call-back mechanism | |
| US7877809B1 (en) | Secure automatable clean boot system | |
| US20050081053A1 (en) | Systems and methods for efficient computer virus detection | |
| Kim et al. | A Brief Survey on Rootkit Techniques in Malicious Codes. | |
| US20100064367A1 (en) | Intrusion detection for computer programs | |
| JP2007304954A (en) | Computer system having memory protecting function | |
| CN102737188A (en) | Method and device for detecting malicious webpage | |
| KR20090052596A (en) | A method and a device for malware detection | |
| EP3682332B1 (en) | Method and apparatus for erasing or writing flash data | |
| US20110219453A1 (en) | Security method and apparatus directed at removeable storage devices | |
| CN105975328A (en) | Log file security auditing system and method based on security virtual machine | |
| US8478974B2 (en) | Method and system for reducing an impact of malware during a booting sequence | |
| EP3864555A1 (en) | Verifying stack pointer | |
| CN100362471C (en) | Harddisk main bootsector program virus defense method | |
| US20220366036A1 (en) | An apparatus and method for handling exceptions | |
| CN116611066B (en) | Lesovirus identification method, device, equipment and storage medium | |
| KR101013419B1 (en) | Guarding apparatus and method for system | |
| Whittaker et al. | Neutralizing windows-based malicious mobile code |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20080116 Termination date: 20140816 |
|
| EXPY | Termination of patent right or utility model |